tamipes/authentik-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update: 2025.2.4 -> 2025.4.0

Browse source 
See https://docs.goauthentik.io/docs/releases/2025.4
This commit is contained in:
Maximilian Bosch 2025-05-03 16:22:32 +02:00
parent 618330bee6
commit 893670fa74
No known key found for this signature in database
8 changed files with 194 additions and 369 deletions
Download patch file Download diff file Expand all files Collapse all files

45
components/default.nix
View file

@ -1,45 +0,0 @@
{
authentik-src,
authentik-version,
authentikPoetryOverrides,
buildNapalmPackage,
defaultPoetryOverrides,
mkPoetryEnv,
pkgs,
}:
pkgs.lib.makeScope pkgs.newScope (
final:
let
docs = final.callPackage ./docs.nix { };
frontend = final.callPackage ./frontend.nix { };
pythonEnv = final.callPackage ./pythonEnv.nix { };
# server + outposts
gopkgs = final.callPackage ./gopkgs.nix { };
staticWorkdirDeps = final.callPackage ./staticWorkdirDeps.nix { };
migrate = final.callPackage ./migrate.nix { };
# worker
manage = final.callPackage ./manage.nix { };
in
{
authentikComponents = {
inherit
docs
frontend
pythonEnv
gopkgs
staticWorkdirDeps
migrate
manage
;
};
inherit
authentik-src
authentik-version
buildNapalmPackage
mkPoetryEnv
defaultPoetryOverrides
authentikPoetryOverrides
;
}
)

1
components/docs.nix
View file

@ -17,7 +17,6 @@ buildNapalmPackage "${authentik-src}/website" {
"npm run build-bundled"
];
installPhase = ''
rm -r ../website/node_modules/.cache
rm -f ../website/static/blueprints
mv -v ../website $out
cp -vr ../blueprints $out/static/blueprints

6
components/gopkgs.nix
View file

@ -2,12 +2,12 @@
authentik-src,
authentik-version,
authentikComponents,
buildGo123Module,
buildGo124Module,
lib,
makeWrapper,
}:
buildGo123Module {
buildGo124Module {
pname = "authentik-gopkgs";
version = authentik-version;
prePatch = ''
@ -42,7 +42,7 @@ buildGo123Module {
"cmd/proxy"
"cmd/radius"
];
vendorHash = "sha256-aG/VqpmHJeGyF98aS0jgwEAq1R5c8VggeJxLWS9W8HY=";
vendorHash = "sha256-cEB22KFDONcJBq/FvLpYKN7Zd06mh8SACvCSuj5i4fI=";
nativeBuildInputs = [ makeWrapper ];
doCheck = false;
postInstall = ''

68
components/python-overrides.nix Normal file
View file

@ -0,0 +1,68 @@
{
lib,
krb5,
libpq,
}:
let
# Specify build system for dependencies where metadata is incomplete.
buildSystemOverrides =
final: prev:
let
buildSystemOverrides = {
gssapi = {
setuptools = [ ];
cython = [ ];
};
django-tenants.setuptools = [ ];
opencontainers.setuptools = [ ];
djangorestframework.setuptools = [ ];
psycopg-c = {
setuptools = [ ];
cython = [ ];
};
};
inherit (final) resolveBuildSystem;
in
lib.mapAttrs (
name: spec:
prev.${name}.overrideAttrs (old: {
nativeBuildInputs = old.nativeBuildInputs ++ resolveBuildSystem spec;
})
) buildSystemOverrides;
# Fixes for dependencies with C libraries.
buildFixes = final: prev: {
gssapi = prev.gssapi.overrideAttrs (
{
buildInputs ? [ ],
...
}:
{
postPatch = ''
substituteInPlace setup.py \
--replace-fail 'get_output(f"{kc} gssapi --prefix")' '"${krb5.dev}"'
'';
buildInputs = buildInputs ++ [
krb5
];
}
);
psycopg-c = prev.psycopg-c.overrideAttrs (
{
nativeBuildInputs ? [ ],
buildInputs ? [ ],
...
}:
{
buildInputs = buildInputs ++ [
libpq
];
nativeBuildInputs = nativeBuildInputs ++ [
libpq.pg_config
];
}
);
};
in
lib.composeExtensions buildSystemOverrides buildFixes

45
components/pythonEnv.nix
View file

@ -1,25 +1,30 @@
{
authentik-src,
authentikPoetryOverrides,
defaultPoetryOverrides,
lib,
mkPoetryEnv,
python312,
callPackage,
authentik-src,
uv2nix,
pythonOverlay,
python,
pyproject-nix,
pyproject-build-systems,
}:
mkPoetryEnv {
projectDir = authentik-src;
python = python312;
overrides = [
defaultPoetryOverrides
] ++ authentikPoetryOverrides;
groups = [ "main" ];
checkGroups = [ ];
# workaround to remove dev-dependencies for the current combination of legacy
# used by authentik and poetry2nix's behavior
pyproject = builtins.toFile "patched-pyproject.toml" (
lib.replaceStrings [ "tool.poetry.dev-dependencies" ] [ "tool.poetry.group.dev.dependencies" ] (
builtins.readFile "${authentik-src}/pyproject.toml"
)
let
workspace = uv2nix.lib.workspace.loadWorkspace { workspaceRoot = authentik-src; };
projectOverlay = workspace.mkPyprojectOverlay {
sourcePreference = "wheel";
};
pythonSet =
(callPackage pyproject-nix.build.packages {
inherit python;
}).overrideScope
(
lib.composeManyExtensions [
pyproject-build-systems.overlays.default
projectOverlay
pythonOverlay
]
);
}
in
pythonSet.mkVirtualEnv "authentik-env" (workspace.deps.default)

103
flake.lock generated
View file

@ -3,16 +3,16 @@
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1744135136,
"narHash": "sha256-7wvoCRhLipX4qzrb/ctsozG565yckx+moxiF6vRo84I=",
"lastModified": 1745954192,
"narHash": "sha256-QuIgeu3CN6S44/zSiaj+iIkDz2494mb1MWvD3eYYkVE=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "74eab55c615b156e4191ee98dc789e2d58c016f9",
"rev": "22412729e2379d645da2ac0c0270a0ac6147945e",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2025.2.4",
"ref": "version/2025.4.0",
"repo": "authentik",
"type": "github"
}
@ -95,27 +95,6 @@
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1729742964,
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1745391562,
@ -147,31 +126,49 @@
"type": "github"
}
},
"poetry2nix": {
"pyproject-build-systems": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixpkgs"
],
"systems": [
"systems"
"pyproject-nix": [
"pyproject-nix"
],
"treefmt-nix": "treefmt-nix"
"uv2nix": [
"uv2nix"
]
},
"locked": {
"lastModified": 1743690424,
"narHash": "sha256-cX98bUuKuihOaRp8dNV1Mq7u6/CQZWTPth2IJPATBXc=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "ce2369db77f45688172384bbeb962bc6c2ea6f94",
"lastModified": 1744599653,
"narHash": "sha256-nysSwVVjG4hKoOjhjvE6U5lIKA8sEr1d1QzEfZsannU=",
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"rev": "7dba6dbc73120e15b558754c26024f6c93015dd7",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"owner": "pyproject-nix",
"repo": "build-system-pkgs",
"type": "github"
}
},
"pyproject-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1745782090,
"narHash": "sha256-c/mqxgOVDcwrdcY3FqG22MwLPGY5rCz5gte1sxISKnM=",
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"rev": "2db2d95ddbc4ff5e29730cb82fdba6647be258a7",
"type": "github"
},
"original": {
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"type": "github"
}
},
@ -183,8 +180,10 @@
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": "nixpkgs",
"poetry2nix": "poetry2nix",
"systems": "systems"
"pyproject-build-systems": "pyproject-build-systems",
"pyproject-nix": "pyproject-nix",
"systems": "systems",
"uv2nix": "uv2nix"
}
},
"systems": {
@ -202,24 +201,26 @@
"type": "github"
}
},
"treefmt-nix": {
"uv2nix": {
"inputs": {
"nixpkgs": [
"poetry2nix",
"nixpkgs"
],
"pyproject-nix": [
"pyproject-nix"
]
},
"locked": {
"lastModified": 1730120726,
"narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
"lastModified": 1746016711,
"narHash": "sha256-vt/UBCdZGvT9oNH5IqHc91KExbwA5pBh9fCTw8lZqqc=",
"owner": "pyproject-nix",
"repo": "uv2nix",
"rev": "6d19baf0fcc7a013ae9c1c188bbf7cfe37b566e0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"owner": "pyproject-nix",
"repo": "uv2nix",
"type": "github"
}
}

66
flake.nix
View file

@ -13,16 +13,26 @@
flake = false;
};
pyproject-nix = {
url = "github:pyproject-nix/pyproject.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
uv2nix = {
url = "github:pyproject-nix/uv2nix";
inputs.pyproject-nix.follows = "pyproject-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
pyproject-build-systems = {
url = "github:pyproject-nix/build-system-pkgs";
inputs.pyproject-nix.follows = "pyproject-nix";
inputs.uv2nix.follows = "uv2nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
poetry2nix = {
url = "github:nix-community/poetry2nix";
inputs = {
nixpkgs.follows = "nixpkgs";
flake-utils.follows = "flake-utils";
systems.follows = "systems";
};
};
napalm = {
url = "github:willibutz/napalm/avoid-foldl-stack-overflow";
inputs = {
@ -32,7 +42,7 @@
};
authentik-src = {
# change version string in outputs as well when updating
url = "github:goauthentik/authentik/version/2025.2.4";
url = "github:goauthentik/authentik/version/2025.4.0";
flake = false;
};
};
@ -40,11 +50,12 @@
outputs =
inputs@{
self,
nixpkgs,
flake-parts,
poetry2nix,
napalm,
authentik-src,
uv2nix,
pyproject-build-systems,
pyproject-nix,
...
}:
@ -56,7 +67,7 @@
...
}:
let
authentik-version = "2025.2.4"; # to pass to the drvs of some components
authentik-version = "2025.4.0"; # to pass to the drvs of some components
in
{
systems = import inputs.systems;
@ -98,23 +109,36 @@
{
pkgs,
system ? pkgs.stdenv.hostPlatform.system,
python ? pkgs.python312,
authentik-version ? authentik-version',
mkPoetryEnv ? (import inputs.poetry2nix { inherit pkgs; }).mkPoetryEnv,
defaultPoetryOverrides ? (import inputs.poetry2nix { inherit pkgs; }).defaultPoetryOverrides,
authentikPoetryOverrides ? import ./poetry2nix-python-overrides.nix pkgs,
buildNapalmPackage ? napalm.legacyPackages.${system}.buildPackage,
}:
import ./components {
pkgs.lib.makeScope pkgs.newScope (final: {
authentikComponents = {
docs = final.callPackage ./components/docs.nix { };
frontend = final.callPackage ./components/frontend.nix { };
pythonEnv = final.callPackage ./components/pythonEnv.nix { };
# server + outposts
gopkgs = final.callPackage ./components/gopkgs.nix { };
staticWorkdirDeps = final.callPackage ./components/staticWorkdirDeps.nix { };
migrate = final.callPackage ./components/migrate.nix { };
# worker
manage = final.callPackage ./components/manage.nix { };
};
# for uv2nix
pythonOverlay = final.callPackage ./components/python-overrides.nix { };
inherit
pkgs
authentik-src
authentik-version
mkPoetryEnv
defaultPoetryOverrides
authentikPoetryOverrides
buildNapalmPackage
uv2nix
pyproject-build-systems
pyproject-nix
python
;
};
});
};
perSystem =
{

227
poetry2nix-python-overrides.nix
View file

@ -1,227 +0,0 @@
pkgs: [
# modules missing only setuptools
(
final: prev:
(builtins.listToAttrs (
map
(name: {
inherit name;
value = prev.${name}.overrideAttrs (oA: {
nativeBuildInputs = (oA.nativeBuildInputs or [ ]) ++ [ final.setuptools ];
});
})
[
"django-cte"
"django-tenants"
"dumb-init"
"drf-orjson-renderer"
]
))
)
(final: prev: {
xmlsec = prev.xmlsec.overridePythonAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.setuptools
final.pkgconfig
];
buildInputs = [
pkgs.xmlsec.dev
pkgs.xmlsec
pkgs.libxml2
pkgs.libtool
];
env.NIX_CFLAGS_COMPILE = "-Wno-error=incompatible-pointer-types";
});
opencontainers = prev.opencontainers.overrideAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.setuptools
final.pytest
];
postPatch = ''
substituteInPlace setup.py --replace-fail '"pytest-runner"' '''
'';
});
psycopg-c = prev.psycopg-c.overrideAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.setuptools
final.tomli
pkgs.libpq.pg_config
];
buildInputs = oA.buildInputs ++ [
pkgs.libpq
];
});
twisted = prev.twisted.overrideAttrs (oA: {
buildInputs = oA.buildInputs ++ [
final.hatchling
final.hatch-fancy-pypi-readme
];
});
cryptography = prev.cryptography.overridePythonAttrs (oA: {
cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
src = oA.src;
sourceRoot = "${oA.pname}-${oA.version}";
name = "${oA.pname}-${oA.version}";
hash = "sha256-hjfSjmwd/mylVZKyXsj/pP2KvAGDpfthuT+w219HAiA=";
};
});
bcrypt = prev.bcrypt.overridePythonAttrs (oA: {
cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
inherit (oA) src;
sourceRoot = "${oA.pname}-${oA.version}/src/_bcrypt";
name = "${oA.pname}-${oA.version}";
hash = "sha256-TD1Qacr2BS3CutGzDcUSweTrlMuKy0U/eIS/oBLxTlI=";
};
});
orjson = prev.orjson.overridePythonAttrs (oA: {
cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
inherit (oA) src;
name = "${oA.pname}-${oA.version}";
hash = "sha256-FONzOuF+FU4gKesnqyVOwy0Z9abIF2kv/GHM+pwaCJs=";
};
});
dnspython = prev.dnspython.overrideAttrs (oA: {
buildInputs = oA.buildInputs ++ [
final.hatchling
];
});
sqlparse = prev.sqlparse.overrideAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.hatchling
];
});
scim2-filter-parser = prev.scim2-filter-parser.overrideAttrs (oA: {
patches = [
(pkgs.fetchpatch {
name = "replace-poetry-with-poetry-core.patch";
url = "https://patch-diff.githubusercontent.com/raw/15five/scim2-filter-parser/pull/43.patch";
hash = "sha256-PjJH1S5CDe/BMI0+mB34KdpNNcHfexBFYBmHolsWH4o=";
})
];
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.poetry-core
];
});
pendulum = prev.pendulum.overrideAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [
pkgs.rustPlatform.cargoSetupHook
pkgs.rustPlatform.maturinBuildHook
];
cargoRoot = "rust";
cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
src = oA.src;
sourceRoot = "${oA.pname}-${oA.version}/rust";
name = "${oA.pname}-${oA.version}";
hash = "sha256-6WgGIfz9I+xRJqXWhjfGDZM1umYwVlUEpLAiecZNZmI=";
};
});
django-pgactivity = prev.django-pgactivity.overrideAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.poetry-core
];
});
docker = prev.docker.overrideAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [
prev.hatchling
prev.hatch-vcs
];
});
django-pglock = prev.django-pglock.overrideAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.poetry-core
];
});
# https://github.com/pyradius/pyrad/pull/168/files
# not included in the latest release :/
pyrad = prev.pyrad.overrideAttrs (oA: {
postPatch = ''
substituteInPlace pyproject.toml \
--replace-fail "poetry.masonry.api" "poetry.core.masonry.api" \
--replace-fail "repository =" "Repository ="
'';
});
msgraph-sdk = prev.msgraph-sdk.overrideAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.flit-core
];
});
python-kadmin-rs = prev.python-kadmin-rs.overrideAttrs (oA: {
pythonImportsCheck = [ "kadmin" ];
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.setuptools
final.setuptools-rust
final.setuptools-scm
pkgs.cargo
pkgs.libkrb5
pkgs.pkg-config
pkgs.rustPlatform.bindgenHook
pkgs.rustPlatform.cargoSetupHook
pkgs.rustc
pkgs.sccache
];
buildInputs = oA.buildInputs ++ [
pkgs.krb5
];
cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
inherit (oA) pname version src;
hash = "sha256-9LCtsX3fuRXCHu5Gd+7OB5JQZ0h6KjSOSan83KUivLQ=";
};
});
gssapi = prev.gssapi.overrideAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [
final.setuptools
final.cython
pkgs.krb5
];
postPatch = ''
substituteInPlace setup.py \
--replace-fail 'get_output(f"{kc} gssapi --prefix")' '"${pkgs.krb5.dev}"'
'';
pythonImportsCheck = [ "gssapi" ];
});
# break dependency cycle that causes an infinite recursion
ua-parser-builtins = prev.ua-parser-builtins.overridePythonAttrs (oA: {
propagatedBuildInputs = builtins.filter (p: p.pname != "ua-parser") oA.propagatedBuildInputs;
});
rpds-py = prev.rpds-py.overridePythonAttrs (oA: {
cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
inherit (oA) src pname version;
hash = "sha256-vfx0ZbIgH5UvL1JMYeJIToY35w2axiHngBt5FJUih7c=";
};
});
watchfiles = prev.watchfiles.overridePythonAttrs (oA: {
cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
inherit (oA) src pname version;
hash = "sha256-EuH6svw8eOEpLJYLx+4RFUTTClqfPN07Vc0cjlWoCXw=";
};
});
microsoft-kiota-abstractions = prev.microsoft-kiota-abstractions.overridePythonAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ];
pythonImportsCheck = [ "kiota_abstractions" ];
});
microsoft-kiota-serialization-form = prev.microsoft-kiota-serialization-form.overridePythonAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ];
pythonImportsCheck = [ "kiota_serialization_form" ];
});
microsoft-kiota-serialization-text = prev.microsoft-kiota-serialization-text.overridePythonAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ];
pythonImportsCheck = [ "kiota_serialization_text" ];
});
microsoft-kiota-serialization-json = prev.microsoft-kiota-serialization-json.overridePythonAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ];
pythonImportsCheck = [ "kiota_serialization_json" ];
});
microsoft-kiota-serialization-multipart = prev.microsoft-kiota-serialization-multipart.overridePythonAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ];
pythonImportsCheck = [ "kiota_serialization_multipart" ];
});
microsoft-kiota-http = prev.microsoft-kiota-http.overridePythonAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ];
pythonImportsCheck = [ "kiota_http" ];
});
microsoft-kiota-authentication-azure = prev.microsoft-kiota-authentication-azure.overridePythonAttrs (oA: {
nativeBuildInputs = oA.nativeBuildInputs ++ [ final.poetry-core ];
pythonImportsCheck = [ "kiota_authentication_azure" ];
});
})
]